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CLAIMS 

1 . A method for a first Web service provider to invoke a service hosted on a 
5 second Web service provider on behalf of a principal in a computer environment, 
comprising the steps of: 

said principal logging in with a discovery service; 

said discovery service passing to said principal an identity assertion 
associated with said principal and a discovery service descriptor associated with said 
10 discovery service for use by principal for future authentication; 

said principal authenticating using said identity assertion and using said 
discovery service descriptor at a Web service client, said Web service client linking 
to and representing a desired commerce site of said principal; 

in response to an action related to said desired commercial site, said Web 
15 service client requesting a first service descriptor associated with said first Web 
service and a first service assertion associated with said first Web service from said 
discovery service; 

in response to receiving said first service descriptor and said first service 
assertion, said Web service client invoking a desired service at said first Web 
20 service; 

upon said first Web service determining a need to invoke a second desired 
service at a second Web service, said first Web service requesting from said 
discovery service a second service descriptor associated with said second Web 
service and a second service assertion associated with said second Web service; 
25 and 
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in response to receiving said request for said second service descriptor and 
said second service assertion, said discovery service adding said second service 
assertion to said first service assertion and subsequently passing said first service 
assertion and said second service descriptor to said first Web service; 
5 in response to receiving said first service assertion and second service 

descriptor, said first Web service invoking said desired second service at said 
second Web service. 

2. The method of Claim 1, wherein said first Web service invokes one or more 
10 services hosted on one or more Web servers. 

3. The method of Claim 1, wherein said Web service client, said discovery 
service, said first Web server, and said second Web server are members of a 
federation relationship in which each member trusts said discovery service. 

4. The method of Claim 1, wherein said service assertion is any of, but not 
limited to: 

a ticket; 
a token; 

is notarized by said discovery service; and 
is certified by said discovery service. 

5. The method of Claim 4, wherein said service assertion is implemented using 
any of, but not limited to: 

a string; 
a certificate; 
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a public key; 

discovery keys wherein the discovery service has copies of the keys; and 
any other form of cryptography. 

6. The method of Claim 1 , wherein said service descriptor comprises any of, but 
not limited to: 

a URL; 

a String; and 

a Simple Object Access Protocol (SOAP) address for Web services. 

7. An apparatus for a first Web service provider to invoke a service hosted on a 
second Web service provider on behalf of a principal in a computer environment, 
comprising: 

means for said principal logging in with a discovery service; 

means for said discovery service passing to said principal an identity 
assertion associated with said principal and a discovery service descriptor 
associated with said discovery service for use by principal for future authentication; 

means for said principal authenticating using said identity assertion and using 
said discovery service descriptor at a Web service client, said Web service client 
linking to and representing a desired commerce site of said principal; 

in response to an action related to said desired commercial site, means for 
said Web service client requesting a first service descriptor associated with said first 
Web service and a first service assertion associated with said first Web service from 
said discovery service; 
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in response to receiving said first service descriptor and said first service 
assertion, means for said Web service client invoking a desired service at said first 
Web service; 

upon said first Web service determining a need to invoke a second desired 
5 service at a second Web service, means for said first Web service requesting from 
said discovery service a second service descriptor associated with said second Web 
service and a second service assertion associated with said second Web service; 
and 

in response to receiving said request for said second service descriptor and 
10 said second service assertion, means for said discovery service adding said second 
service assertion to said first service assertion and subsequently passing said first 
service assertion and said second service descriptor to said first Web service; 

in response to receiving said first service assertion and second service 
descriptor, means for said first Web service invoking said desired second service at 
1 5 said second Web service. 

8. The apparatus of Claim 7, wherein said first Web service invokes one or more 
services hosted on one or more Web servers. 

20 9. The apparatus of Claim 7, wherein said Web service client, said discovery 
service, said first Web server, and said second Web server are members of a 
federation relationship in which each member trusts said discovery service. 

10. The apparatus of Claim 7, wherein said service assertion is any of, but not 
25 limited to: 

a ticket; 
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a token; 

is notarized by said discovery service; and 
is certified by said discovery service. 



5 11. The apparatus of Claim 10, wherein said service assertion is implemented 
using any of, but not limited to: 
a string; 
a certificate; 
a public key; 

10 discovery keys wherein the discovery service has copies of the keys; and 

any other form of cryptography. 



12. The apparatus of Claim 7, wherein said service descriptor comprises any of, 
but not limited to: 

15 a URL; 

a String; and 

a Simple Object Access Protocol (SOAP) address for Web services. 

13. A program storage medium readable by a computer, tangibly embodying a 
20 program of instructions executable by the computer to perform a method for updating 

address information in a computer environment, the method comprising the steps of: 
said principal logging in with a discovery service; 

said discovery service passing to said principal an identity assertion 
associated with said principal and a discovery service descriptor associated with said 
25 discovery service for use by principal for future authentication; 
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said principal authenticating using said identity assertion and using said 
discovery service descriptor at a Web service client, said Web service client linking 
to and representing a desired commerce site of said principal; 

in response to an action related to said desired commercial site, said Web 
5 service client requesting a first service descriptor associated with said first Web 
service and a first service assertion associated with said first Web service from said 
discovery service; 

in response to receiving said first service descriptor and said first service 
assertion, said Web service client invoking a desired service at said first Web 
10 service; 

upon said first Web service determining a need to invoke ai second desired 
service at a second Web service, said first Web service requesting from said 
discovery service a second service descriptor associated with said second Web 
service and a second service assertion associated with said second Web service; 
15 and 

in response to receiving said request for said second service descriptor and 
said second service assertion, said discovery service adding said second service 
assertion to said first service assertion and subsequently passing said first service 
assertion and said second service descriptor to said first Web service; 
20 in response to receiving said first service assertion and second service 

descriptor, said first Web service invoking said desired second service at said 
second Web service. 

14. The medium of Claim 13, wherein said first Web service invokes one or more 
25 services hosted on one or more Web servers. 
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15. The medium of Claim 13, wherein said Web service client, said discovery 
service, said first Web server, and said second Web server are members of a 
federation relationship in which each member trusts said discovery service. 

16. The medium of Claim 13, wherein said service assertion is any of, but not 
limited to: 

a ticket; 
a token; 

is notarized by said discovery service; and 
is certified by said discovery service. 

17. The medium of Claim 16, wherein said service assertion is implemented using 
any of, but not limited to: 

a string; 
a certificate; 
a public key; 

discovery keys wherein the discovery service has copies of the keys; and 
any other form of cryptography. 

18. The medium of Claim 13, wherein said service descriptor comprises any of, 
but not limited to: 

a URL; 

a String; and 

a Simple Object Access Protocol (SOAP) address for Web sen/ices. 
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19. A process for a first Web service provider to invoke a service hosted on a 
second Web service provider on behalf of a principal in a computer environment, 
comprising the steps of: 

said principal logs in with a discovery service for subsequent authentication; 
5 in response to said log in, said discovery service passing an identity assertion 

and a discovery service descriptor to said principal; 

said principal uses said identity assertion and said discovery service 
descriptor to access a Web commerce site with a Web service client software 
interface application; 

10 said Web service client software interface application requesting a first service 

descriptor and a first service assertion for a first desired service at a first Web server 
from said discovery service; 

in response to receiving said first service descriptor and said first service 
assertion from said discovery service, said Web service client software interface 
15 application invoking said first desired service at said first Web server; 

said first Web server requesting a second service descriptor and a second 
service assertion for a second desired service at a second Web server from said 
discovery service; and 

in response to receiving said second service descriptor and said second 
20 service assertion from said discovery service, said first Web server invoking said 
second desired service at said second Web server on behalf of said principal. 

20. An apparatus for a first Web service provider to invoke a service hosted on a 
second Web service provider on behalf of a principal in a computer environment, 

25 comprising: 
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means for said principal logs in with a discovery service for subsequent 
authentication; 

in response to said log in, means for said discovery service passing an 
identity assertion and a discovery service descriptor to said principal; 
5 means for said principal using said identity assertion and said discovery 

service descriptor to access a Web commerce site with a Web service client 
software interface application; 

means for said Web service client software interface application requesting a 
first service descriptor and a first service assertion for a first desired service at a first 
1 0 Web server from said discovery service; 

in response to receiving said first service descriptor and said first service 
assertion from said discovery service, means for said Web service client software 
interface application invoking said first desired service at said first Web server; 

means for said first Web server requesting a second service descriptor and a 
15 second service assertion for a second desired service at a second Web server from 
said discovery service; and 

in response to receiving said second service descriptor and said second 
service assertion from said discovery service, means for said first Web server 
invoking said second desired service at said second Web server on behalf of said 
20 principal. 

21. A program storage medium readable by a computer, tangibly embodying a 
program of instructions executable by the computer to perform a method for updating 
address information in a computer environment, the method comprising the steps of: 
25 said principal logs in with a discovery service for subsequent authentication; 
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in response to said log in, said discovery service passing an identity assertion 
and a discovery service descriptor to said principal; 

said principal uses said identity assertion and said discovery service 
descriptor to access a Web commerce site with a Web service client software 
5 interface application; 

said Web service client software interface application requesting a first service 
descriptor and a first service assertion for a first desired service at a first Web server 
from said discovery service; 

in response to receiving said first service descriptor and said first service 
10 assertion from said discovery service, said Web service client software interface 
application invoking said first desired service at said first Web server; 

said first Web server requesting a second service descriptor and a second 
service assertion for a second desired service at a second Web server from said 
discovery service; and 

15 in response to receiving said second service descriptor and said second 

service assertion from said discovery service, said first Web server invoking said 
second desired service at said second Web server on behalf of said principal. 
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